I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Gmail From Petraeus' Mistress Just One Of 7,172 Times U.S. Government Accessed Google Users' Data This Year

If Paula Broadwell feels her privacy was violated when the FBI gained access to the Gmail account she used to communicate with her amorous biography subject, CIA director David Petraeus, she can at least take comfort that she’s not alone.

In Google’s semi-annual transparency report released Tuesday, the company stated that it received 20,938 requests from governments around the world for its users’ private data in the first six months of 2012. Nearly 8,000 of those requests came from the U.S. government, and 7,172 of them were fulfilled to some degree, an increase of 26% from the prior six months, according to Google’s stats.

Starting in May, the FBI gained access to Gmail accounts used by Broadwell to communicate with Petraeus over the course of their affair, according to a report in the Wall Street Journal. Though only Broadwell’s emails were monitored–not Petraeus’–the investigation led to a deeper investigation of Broadwell that exposed classified information on her computers that may have been given to her by Petraeus, one of the possible factors leading to Petraeus’ resignation.

As the details of the Petraeus scandal unfolds, however, attention has already turned to the FBI’s impetus to begin snooping on Broadwell’s emails–a series of vaguely threatening messages written to Jill Kelley, a friend of Petraeus and of an FBI agent involved in the subsequent investigation. As Glenn Greenwald of the Guardian writes, “It appears that the FBI not only devoted substantial resources, but also engaged in highly invasive surveillance, for no reason other than to do a personal favor for a friend of one of its agents, to find out who was very mildly harassing her by email.”

If the Broadwell investigation, and Google’s cooperation, were based merely on an FBI doing a favor for a friend, the incident raises serious questions about the criteria that law enforcement and the justice system use to demand access to a user’s data held by a private company.

Correction: A previous version of this story raised questions about Google’s criteria for passing data to law enforcement officials. But in fact, the Wall Street Journal and New York Times‘ reporting implies that the FBI likely sought and received a warrant for Broadwell’s data, which would reduce Google’s leeway in deciding how to respond to the Bureau’s request.

Government requests for Google users' data over time. (Click to enlarge.)

When I asked Google policy director Dorothy Chou about the standards for valid requests for Google users’ data earlier this year, she said that the company requires that the requests come in a written form, are sent from an appropriate agency, cite a criminal case and are sufficiently narrow in their demands, both in terms of which users are affected and what time frame of data is requested. “We want to show that we’re advocating on your behalf. But we also want to do right by the spirit and letter of the law,” Chou said at the time.

I’ve asked Google for more information about the criteria used in its data handover decisions in the Broadwell case, and will update this post if I hear back from the company.

Google, it should be noted, remains one of just a few companies that voluntarily release data about the information they hand over to governments for surveillance purposes, along with Twitter, Dropbox, and the California Internet service provider Sonic.net. As Google’s Chou noted in the statement that accompanies the copmany’s report, other firms including Facebook, Microsoft, and Yahoo! offer no such transparency. “The information we disclose is only an isolated sliver showing how governments interact with the Internet, since for the most part we don’t know what requests are made of other technology or telecommunications companies,” Chou writes.

Nonetheless, Google’s report continues to show a steady increase in the government’s appetite for the search giant’s data. When the report launched in 2009, Google received only 3,580 U.S. government requests for users’ information, less than half the number in the most recent period.

Under the Stored Communications Act , much of Internet companies’ data is up for grabs for law enforcement, often without a warrant. Google, Microsoft, Apple, Amazon and others have fought for reform of the SCA, part of the larger Electronic Communications Privacy Act, with a lobbying effort known as Digital Due Process. But as Google’s numbers show, the siphon of private user data from Internet firms to goverment agencies has only grown.

Without a strict legal standard for the handover of that data, the variables those companies weigh to decide whether to release users’ secrets remains largely unclear. Let’s hope that in most cases–as in Broadwell’s–an invasion of a user’s privacy requires more than offending the wrong friend of an FBI agent.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.